Introduction to Cryptography. Lecture 8
|
|
- Phoebe Lewis
- 6 years ago
- Views:
Transcription
1 Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1
2 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication modulo a composite number N (G, ) = ({a s.t. 1 a N-1 and gcd(a,n)=1}, ) E.g., Z 10* = ( {1,3,7,9}, ) page 2 2
3 Cyclic Groups Exponentiation is repeated application of a 3 = a a a. a 0 = 1. a -x = (a -1 ) x A group G is cyclic if there exists a generator g, s.t. a G, i s.t. g i =a. I.e., G= <g> = {1, g, g 2, g 3, } For example Z 7 * = <3> = {1,3,2,6,4,5} Not all a G are generators of G, but they all generate a subgroup of G. E.g. 2 is not a generator of Z 7 * The order of a group element a is the smallest j>0 s.t. a j =1 Lagrange s theorem for x Z p*, ord(x) p-1. page 3 3
4 Computing in Z p * P is a huge prime (1024 bits) Easy tasks (measured in bit operations): Adding in O(log p) (namely, linear n the length of p) Multiplying in O(log 2 p) (and even in O(log 1.7 p) ) Inverting (a to a -1 ) in O(log 2 p) Exponentiations: x r mod p in O(log r log 2 p), using repeated squaring page 4 4
5 Euler s phi function Lagrange s Theorem: a in a finite group G, a G =1. Euler s phi function (aka, Euler s totient function), φ(n) = number of elements in Z * n φ(p) = p-1 for a prime p. n= i=1..k p e(i) i φ(n) = n i=1..k (1-1/p i ) φ(p 2 ) = p(p-1) for a prime p. n=p q φ(n) =(p-1)(q-1) (i.e. {x gcd(x,n)=1, 1 x n} Corollary: For Z n* (n=p q), Z n* = φ(n) =(p-1)(q-1). a Z n* it holds that a φ(n) =1 mod n For Z p* (prime p), a p-1 =1 mod p (Fermat s theorem). For Z n* (n=p q), a (p-1)(q-1) =1 mod n page 5 5
6 Finding prime numbers page 6 6
7 Finding prime numbers Prime number theorem: #{primes x} x / lnx as x How can we find a random k-bit prime? Choose x at random in {2 k,,2 k+1-1} (How many numbers in that range are prime? About 2 k+1 / ln2 k+1-2 k / ln2 k numbers, i.e. a 1/ ln(2 k ) fraction.) Test if x is prime (more on this later in the course) The probability of success is 1/ln(2 k ) = O(1/k). The expected number of trials is O(k). page 7 7
8 Finding generators How can we find a generator of Z p*? Pick a random number a [1,p-1], check if is a generator Naively, check whether 1 i p-2 a i 1 But we know that if a i =1 mod p then i p-1. Therefore need to check only i for which i p-1. Easy if we know the factorization of (p-1). In that case For all a Z p*, the order of a divides (p-1) For every integer divisor b of (p-1), check if a b =1 mod p. If none of these checks succeeds, then a is a generator, since a is a generator iff ord(a)=p-1. page 8 8
9 Finding prime numbers of the right form How can we know the factorization of p-1? Easy, for example, if p=2q+1, and q is prime. How can we find a k-bit prime of this form? 1. Search for a prime number q of length k-1 bits. (Will be successful after about O(k) attempts.) 2. Check if 2q+1 is prime (we will see how to do this later in the course). 3. If not, go to step 1. page 9 9
10 Hard problems in cyclic groups A hard problem can be useful for constructing cryptographic systems, if we can show that breaking the system is equivalent to solving this problem. page 10 10
11 The Discrete Logarithm Let G be a cyclic group of order q, with a generator g. h G, x [1,,q], such that g x =h. This x is called the discrete logarithm of h to the base g. log g h = x. log g 1 = 0, and log g (h 1 h 2 ) = log g (h 1 )+ log g (h 2 ) mod q. page 11 11
12 The Discrete Logarithm Problem and Assumption The discrete log problem Choose G,g at random (from a certain family G of groups), where G is a cyclic group and g is a generator Choose a random element h G Give the adversary the input (G, G,g,h) The adversary succeeds if it outputs log g h The discrete log assumption There exists a family G of groups for which the discrete log problem is hard Namely, the adversary has negligible success probability. page 12 12
13 Cyclic groups of prime order (The order of a group G is the number of elements in the group) Z p * has order p-1 (and p-1 is even and therefore nonprime). We will need to work in groups of prime order. If p=2q+1, and q is prime, then Z p * has a subgroup of order q (namely, a subgroup of prime order). page 13 13
14 Hard problems in cyclic groups of prime order The following problems are believed to be hard in subgroups of prime order of Z p * (if the subgroup is large enough) The discrete log problem The Diffie-Hellman problem: The input contains g and x,y G, such that x=g a and y=g b (where a,b where chosen at random). The task is to find z=g a b. The Decisional Diffie-Hellman problem: The input contains x,y G, such that x=g a and y=g b (and a,b were chosen at random); and a pair (z,z ) where one of (z,z ) is g a b and the other is g c (for a random c). The task is to tell which of (z,z ) is g a b. Solving DDH solving DH solving DL All believed to be hard if the size of the subgroup > page 14 14
15 Classical symmetric ciphers Alice and Bob share a private key k. System is secure as long as k is secret. Major problem: generating and distributing k. k Alice k Bob page 15 15
16 Diffie and Hellman: New Directions in Cryptography, We stand today on the brink of a revolution in cryptography. The development of cheap digital hardware has freed it from the design limitations of mechanical computing such applications create a need for new types of cryptographic systems which minimize the necessity of secure key distribution theoretical developments in information theory and computer science show promise of providing provably secure cryptosystems, changing this ancient art into a science. page 16 16
17 Diffie-Hellman Came up with the idea of public key cryptography public key Bob Alice Bob secret key Bob Everyone can learn Bob s public key and encrypt messages to Bob. Only Bob knows the decryption key and can decrypt. Key distribution is greatly simplified. Diffie and Hellman did not have an implementation for a public key encryption system Suggested a method for key exchange over insecure communication lines, that is still in use today. page 17 17
18 Public Key-Exchange Goal: Two parties who do not share any secret information, perform a protocol and derive the same shared key. No eavesdropper can obtain the new shared key (if it has limited computational resources). The parties can therefore safely use the key as an encryption key. page 18 18
19 The Diffie-Hellman Key Exchange Protocol Public parameters: a group where the DDH assumption holds. For example, a subgroup H Z p * (where p = 768 or 1024, p=2q+1) of order q, and a generator g of H Z p *. Alice: picks a random a [1,q]. Sends g a mod p to Bob. Computes k=(g b ) a mod p Bob: picks a random b [1,q]. Sends g b mod p to Bob. Computes k=(g a ) b mod p K = g ab is used as a shared key between Alice and Bob. DDH assumption K is indistinguishable from a random key page 19 19
20 Diffie-Hellman: security A (passive) adversary Knows Z p*, g Sees g a, g b Wants to compute g ab, or at least learn something about it Recall the Decisional Diffie-Hellman problem: Given random x,y Z p*, such that x=g a and y=g b ; and a pair (g ab,g c ) (in random order, for a random c), it is hard to tell which is g ab. An adversary that distinguishes the key g ab generated in a DH key exchange from random, can also break the DDH. Note: it is insufficient to require that the adversary cannot compute g ab. page 20 20
21 Diffie-Hellman key exchange: usage The DH key exchange can be used in any group in which the Decisional Diffie-Hellman (DDH) assumption is believed to hold. Currently, Z p * and elliptic curve groups. Common usage: Overhead: 1-2 exponentiations Usually, A DH key exchange for generating a master key Master key used to encrypt session keys Session key is used to encrypt traffic with a symmetric cryptosystem page 21 21
22 Why don t we implement Diffie-Hellman in Zp* (but rather in a subgroup H Zp*, for p=2q+1, of order q, and a generator g of H Zp*). For the system to be secure, we need that the DDH assumption holds. This assumption does not hold in Zp* (see discussion below) page 22 22
23 Quadratic Residues The square root of x Z p* is y Z p * s.t. y 2 =x mod p. Examples: sqrt(2) mod 7 = 3, sqrt(3) mod 7 doesn t exist. How many square roots does x Z p* have? If a and b are square roots of x, then x=a 2 =b 2 mod p. Therefore for any two square roots of any number x it holds that (a-b)(a+b)=0 mod p. Therefore either a=b or a= -b modulo p. Therefore x has either 2 or 0 square roots, and is denoted as a Quadratic Residue (QR) or Non Quadratic Residue (NQR), respectively. There are exactly (p-1)/2 QRs. page 23 23
24 Quadratic Residues x (p-1)/2 is either 1 or -1 in Z * p (since (x (p-1)/2 ) 2 is always 1). Euler s theorem: x Z p* is a QR iff x (p-1)/2 = 1 mod p. Legendre s symbol: x p 1 = 1 0 x is a QR in Z x is an NQR in Z x= 0 mod Legendre s symbol can be efficiently computed as x (p-1)/2 mod p. Another way to look at this: let g be a generator of Z p*. Then every x can be written as x=g i mod p. It holds that x is a QR iff i is even. The quadratic residues form a subgroup of order (p-1)/2 (=q) p * p * p page 24 24
25 Does the DDH assumption hold in Z p*? The DDH assumption does not hold in Z p * Assume that both x=g a and y=g b are QRs in Z p*. Then g ab is also a QR, whereas a random g c is an NQR with probability ½. Solution: (work in a subgroup of prime order) Set p=2q+1, where q is prime. φ(z p* ) = p-1 = 2q. Therefore Z p * has a subgroup H of prime order q. Let g be a generator of H (for example, g is a QR in Z p* ). The DDH assumption is believed to hold in H. (The Legendre symbol is always 1.) page 25 25
26 An active attack against the Diffie-Hellman Key Exchange Protocol An active adversary Eve. Can read and change the communication between Alice and Bob. As if Alice and Bob communicate via Eve. Alice Eve Bob page 26 26
27 Man in-the-middle: an active attack against the Diffie-Hellman Key Exchange protocol Alice: picks a random a [1,q]. Sends g a mod p to Bob. Bob: Eve changes g a to g c Computes k=(g d ) a mod p Eve changes g b to g d Keys: Alice Eve Bob g ad g ad, g bc g bc picks a random b [1,q]. Sends g b mod p to Alice. Computes k=(g c ) b mod p Solution:? (wireless usb) page 27 27
28 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing PK Alice can encrypt messages using it. Message decryption is possible only if SK Alice is known. Compared to symmetric encryption: Easier key management: n users need n keys, rather than O(n 2 ) keys, to communicate securely. Compared to Diffie-Hellman key agreement: No need for an interactive key agreement protocol. (Think about sending ) Secure as long as we can trust the association of keys with users. page 28 28
29 Public key encryption Must have different keys for encryption and decryption. Public key encryption cannot provide perfect secrecy: Suppose E pk () is an algorithm that encrypts m=0/1, and uses r random bits in operation. An adversary is given E pk (m). It can compare it to all possible 2 r encryptions of 0 Efficiency is the main drawback of public key encryption. page 29 29
30 Defining a public key encryption The definition must include the following algorithms; Key generation: KeyGen(1 k ) (PK,SK) (where k is a security parameter, e.g. k=1000). Encryption: C = E PK (m) algorithm) (E might be a randomized Decryption: M= D SK (C) page 30 30
31 The El Gamal public key encryption system Public information (can be common to different public keys): A group in which the DDH assumption holds. Usually start with a prime p=2q+1, and use H Z p* of order q. Define a generator g of H. Key generation: pick a random private key a in [1, H ] (e.g. 0<a<q). Define the public key h=g a (h=g a mod p). Encryption of a message m H Z p * Pick a random 0 < r < q. The ciphertext is (g r, h r m). Decryption of (s,t) Compute t /s a (m= h r m / (g r ) a ) Using public key alone Using private key page 31 31
32 El Gamal and Diffie-Hellman ElGamal encryption is similar to DH key exchange DH key exchange: Adversary sees g a, g b. Cannot distinguish the key g ab from random. El Gamal: A fixed public key g a. Sender picks a random g r. Sender encrypts message using g ar. Known to the adversary Used as a key El Gamal is like DH where The same g a is used for all communication There is no need to explicitly send this g a (it is already known as the public key of Alice) page 32 32
33 The El Gamal public key encryption system Setting the public information A large prime p, and a generator g of H Z p* of order q. p = 756 or 1024 bits. p-1 must have a large prime factor (e.g. p=2q+1) Otherwise it is easy to solve discrete logs in Z p * (relevant also to DH key agreement) Needed for the DDH assumption to hold (Legendre s symbol) g must be a generator of a large subgroup of Z p*. page 33 33
34 The El Gamal public key encryption system Encoding the message: m must be in the subgroup H generated by g. If p=2q+1, and H is the subgroup of quadratic residues, we can map each message m {1,,(p-1)/2} to the value m 2 mod p, which is in H. Alternatively, encrypt m using (g r, H(h r ) m). Decryption is done by computing H( (g r ) a ). (H is a hash function that preserves the pseudo-randomness of h r.) page 34 34
35 The El Gamal public key encryption system Overhead: Encryption: two exponentiations; preprocessing possible. Decryption: one exponentiation. message expansion: m (g r, h r m). Randomized encryption Must use fresh randomness r for every message. Two different encryptions of the same message are different! (provides semantic security) page 35 35
Topics in Cryptography. Lecture 5: Basic Number Theory
Topics in Cryptography Lecture 5: Basic Number Theory Benny Pinkas page 1 1 Classical symmetric ciphers Alice and Bob share a private key k. System is secure as long as k is secret. Major problem: generating
More informationIntroduction to Cryptography. Lecture 6
Introduction to Cryptography Lecture 6 Benny Pinkas page 1 Public Key Encryption page 2 Classical symmetric ciphers Alice and Bob share a private key k. System is secure as long as k is secret. Major problem:
More informationAdvanced Topics in Cryptography
Advanced Topics in Cryptography Lecture 6: El Gamal. Chosen-ciphertext security, the Cramer-Shoup cryptosystem. Benny Pinkas based on slides of Moni Naor page 1 1 Related papers Lecture notes of Moni Naor,
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationPublic-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP
Public-Key Cryptography Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP Diffie-Hellman Key-exchange Secure under DDH: (g x,g x,g xy ) (g x,g x,g r ) Random x {0,..,
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationOverview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017
CSC 580 Cryptography and Computer Security Math for Public Key Crypto, RSA, and Diffie-Hellman (Sections 2.4-2.6, 2.8, 9.2, 10.1-10.2) March 21, 2017 Overview Today: Math needed for basic public-key crypto
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationLecture 11: Key Agreement
Introduction to Cryptography 02/22/2018 Lecture 11: Key Agreement Instructor: Vipul Goyal Scribe: Francisco Maturana 1 Hardness Assumptions In order to prove the security of cryptographic primitives, we
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationLecture 7: ElGamal and Discrete Logarithms
Lecture 7: ElGamal and Discrete Logarithms Johan Håstad, transcribed by Johan Linde 2006-02-07 1 The discrete logarithm problem Recall that a generator g of a group G is an element of order n such that
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA Public Key Encryption Factoring Algorithms Lecture 7 Tel-Aviv University Revised March 1st, 2008 Reminder: The Prime Number Theorem Let π(x) denote the
More informationIntroduction to Cybersecurity Cryptography (Part 5)
Introduction to Cybersecurity Cryptography (Part 5) Prof. Dr. Michael Backes 13.01.2017 February 17 th Special Lecture! 45 Minutes Your Choice 1. Automotive Security 2. Smartphone Security 3. Side Channel
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More informationCryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups
Great Theoretical Ideas in CS V. Adamchik CS 15-251 Upcoming Interview? Lecture 24 Carnegie Mellon University Cryptography and RSA How the World's Smartest Company Selects the Most Creative Thinkers Groups
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationCIS 551 / TCOM 401 Computer and Network Security
CIS 551 / TCOM 401 Computer and Network Security Spring 2008 Lecture 15 3/20/08 CIS/TCOM 551 1 Announcements Project 3 available on the web. Get the handout in class today. Project 3 is due April 4th It
More informationCrypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.
Crypto math II Alin Tomescu alinush@mit.edu May 7, 015 Abstract A quick overview on group theory from Ron Rivest s 6.857 course in Spring 015. 1 Overview Group theory review Diffie-Hellman (DH) key exchange
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationduring transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL
THE MATHEMATICAL BACKGROUND OF CRYPTOGRAPHY Cryptography: used to safeguard information during transmission (e.g., credit card number for internet shopping) as opposed to Coding Theory: used to transmit
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes Lecture 8 Tel-Aviv University
More informationIntroduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication
Common Usage of MACs for message authentication Introduction to Cryptography k Alice α m, MAC k (m) Isα= MAC k (m)? Bob k Lecture 5 Benny Pinkas k Alice m, MAC k (m) m,α Got you! α MAC k (m )! Bob k Eve
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Finite Fields The finite field GF(q) exists iff q = p e for some prime p. Example: GF(9) GF(9) = {a + bi a, b Z 3, i 2 = i + 1} = {0, 1, 2, i, 1+i, 2+i, 2i, 1+2i, 2+2i} Addition:
More informationPublic Key Algorithms
Public Key Algorithms Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-09/
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationPublic Key Cryptography
Public Key Cryptography Spotlight on Science J. Robert Buchanan Department of Mathematics 2011 What is Cryptography? cryptography: study of methods for sending messages in a form that only be understood
More information14 Diffie-Hellman Key Agreement
14 Diffie-Hellman Key Agreement 14.1 Cyclic Groups Definition 14.1 Example Let д Z n. Define д n = {д i % n i Z}, the set of all powers of д reduced mod n. Then д is called a generator of д n, and д n
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #9 Sep 22 nd 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Midterm #1, next class (Tues, Sept 27 th ) All lecture materials and readings
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationEvidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs
Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs Jonah Brown-Cohen 1 Introduction The Diffie-Hellman protocol was one of the first methods discovered for two people, say Alice
More informationEl Gamal A DDH based encryption scheme. Table of contents
El Gamal A DDH based encryption scheme Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction El Gamal Practical Issues The El Gamal encryption
More informationLecture Note 3 Date:
P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................
More informationAdvanced Cryptography 1st Semester Public Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability
More informationCRYPTOGRAPHY AND NUMBER THEORY
CRYPTOGRAPHY AND NUMBER THEORY XINYU SHI Abstract. In this paper, we will discuss a few examples of cryptographic systems, categorized into two different types: symmetric and asymmetric cryptography. We
More informationCryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1
Cryptography CS 555 Topic 18: RSA Implementation and Security Topic 18 1 Outline and Readings Outline RSA implementation issues Factoring large numbers Knowing (e,d) enables factoring Prime testing Readings:
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationLecture 14: Hardness Assumptions
CSE 594 : Modern Cryptography 03/23/2017 Lecture 14: Hardness Assumptions Instructor: Omkant Pandey Scribe: Hyungjoon Koo, Parkavi Sundaresan 1 Modular Arithmetic Let N and R be set of natural and real
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationLECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS
LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS Modular arithmetics that we have discussed in the previous lectures is very useful in Cryptography and Computer Science. Here we discuss several
More informationIntroduction to Cryptography. Susan Hohenberger
Introduction to Cryptography Susan Hohenberger 1 Cryptography -- from art to science -- more than just encryption -- essential today for non-military applications 2 Symmetric Crypto Shared secret K =>
More informationChapter 4 Asymmetric Cryptography
Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman [NetSec/SysSec], WS 2008/2009 4.1 Asymmetric Cryptography General idea: Use two different keys -K and +K for
More informationAsymmetric Cryptography
Asymmetric Cryptography Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman General idea: Use two different keys -K and +K for encryption and decryption Given a
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 60 Outline 1 RSA Encryption Scheme 2 Discrete Logarithm and Diffie-Hellman Algorithm 3 ElGamal Encryption Scheme 4
More informationSlides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013
RSA Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013 Recap Recap Number theory o What is a prime number? o What is prime factorization? o What is a GCD? o What does relatively prime
More informationInstructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year
Data Privacy and Security Instructor: Daniele Venturi Master Degree in Data Science Sapienza University of Rome Academic Year 2017-2018 Interlude: Number Theory Cubum autem in duos cubos, aut quadratoquadratum
More informationNotes for Lecture Decision Diffie Hellman and Quadratic Residues
U.C. Berkeley CS276: Cryptography Handout N19 Luca Trevisan March 31, 2009 Notes for Lecture 19 Scribed by Cynthia Sturton, posted May 1, 2009 Summary Today we continue to discuss number-theoretic constructions
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018
Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationPractice Assignment 2 Discussion 24/02/ /02/2018
German University in Cairo Faculty of MET (CSEN 1001 Computer and Network Security Course) Dr. Amr El Mougy 1 RSA 1.1 RSA Encryption Practice Assignment 2 Discussion 24/02/2018-29/02/2018 Perform encryption
More informationCS 395T. Probabilistic Polynomial-Time Calculus
CS 395T Probabilistic Polynomial-Time Calculus Security as Equivalence Intuition: encryption scheme is secure if ciphertext is indistinguishable from random noise Intuition: protocol is secure if it is
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationOne can use elliptic curves to factor integers, although probably not RSA moduli.
Elliptic Curves Elliptic curves are groups created by defining a binary operation (addition) on the points of the graph of certain polynomial equations in two variables. These groups have several properties
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More information1 Public-key encryption
CSCI 5440: Cryptography Lecture 4 The Chinese University of Hong Kong, Spring 2018 29 and 30 January 2018 1 Public-key encryption Public-key encryption is a type of protocol by which Alice can send Bob
More informationMathematics of Cryptography
UNIT - III Mathematics of Cryptography Part III: Primes and Related Congruence Equations 1 Objectives To introduce prime numbers and their applications in cryptography. To discuss some primality test algorithms
More information9 Knapsack Cryptography
9 Knapsack Cryptography In the past four weeks, we ve discussed public-key encryption systems that depend on various problems that we believe to be hard: prime factorization, the discrete logarithm, and
More informationIntroduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions
Introduction to Modern Cryptography Lecture 7 1. RSA Public Key CryptoSystem 2. One way Trapdoor Functions Diffie and Hellman (76) New Directions in Cryptography Split the Bob s secret key K to two parts:
More informationIntroduction to Cryptology. Lecture 20
Introduction to Cryptology Lecture 20 Announcements HW9 due today HW10 posted, due on Thursday 4/30 HW7, HW8 grades are now up on Canvas. Agenda More Number Theory! Our focus today will be on computational
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/
More informationAn Introduction to Probabilistic Encryption
Osječki matematički list 6(2006), 37 44 37 An Introduction to Probabilistic Encryption Georg J. Fuchsbauer Abstract. An introduction to probabilistic encryption is given, presenting the first probabilistic
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More informationElliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 9 February 6, 2012 CPSC 467b, Lecture 9 1/53 Euler s Theorem Generating RSA Modulus Finding primes by guess and check Density of
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 9 February 14, 2013 CPSC 467b, Lecture 9 1/42 Integer Division (cont.) Relatively prime numbers, Z n, and φ(n) Computing in Z n
More informationCPSC 467b: Cryptography and Computer Security
Outline Quadratic residues Useful tests Digital Signatures CPSC 467b: Cryptography and Computer Security Lecture 14 Michael J. Fischer Department of Computer Science Yale University March 1, 2010 Michael
More informationRSA RSA public key cryptosystem
RSA 1 RSA As we have seen, the security of most cipher systems rests on the users keeping secret a special key, for anyone possessing the key can encrypt and/or decrypt the messages sent between them.
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019
Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationElliptic Curve Cryptography
Elliptic Curve Cryptography Elliptic Curves An elliptic curve is a cubic equation of the form: y + axy + by = x 3 + cx + dx + e where a, b, c, d and e are real numbers. A special addition operation is
More informationRSA. Ramki Thurimella
RSA Ramki Thurimella Public-Key Cryptography Symmetric cryptography: same key is used for encryption and decryption. Asymmetric cryptography: different keys used for encryption and decryption. Public-Key
More information10 Public Key Cryptography : RSA
10 Public Key Cryptography : RSA 10.1 Introduction The idea behind a public-key system is that it might be possible to find a cryptosystem where it is computationally infeasible to determine d K even if
More informationEindhoven University of Technology MASTER. Kleptography cryptography with backdoors. Antheunisse, M. Award date: 2015
Eindhoven University of Technology MASTER Kleptography cryptography with backdoors Antheunisse, M. Award date: 2015 Disclaimer This document contains a student thesis (bachelor's or master's), as authored
More informationMy brief introduction to cryptography
My brief introduction to cryptography David Thomson dthomson@math.carleton.ca Carleton University September 7, 2013 introduction to cryptography September 7, 2013 1 / 28 Outline 1 The general framework
More information